#3533

Committed 20 Nov 2024 07:11AM UTC coverage: 58.848% (-1.9%) from 60.78%

Build # #3533

Build Type

push

travis-ci

Committed by

web-flow

Commit Message

Merge pull request #28823 from taosdata/fix/3.0/TD-32587

fix:[TD-32587]fix stmt segmentation fault

Run Details

115578 of 252434 branches covered (45.79%)

Branch coverage included in aggregate %.

1 of 4 new or added lines in 1 file covered. (25.0%)

8038 existing lines in 233 files now uncovered.

194926 of 275199 relevant lines covered (70.83%)

1494459.59 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

81.92

/source/libs/parser/src/parAuthenticator.c

/*
 * Copyright (c) 2019 TAOS Data, Inc. <jhtao@taosdata.com>
 *
 * This program is free software: you can use, redistribute, and/or modify
 * it under the terms of the GNU Affero General Public License, version 3
 * or later ("AGPL"), as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */

#include "catalog.h"
#include "cmdnodes.h"
#include "parInt.h"

typedef struct SAuthCxt {
  SParseContext*   pParseCxt;
  SParseMetaCache* pMetaCache;
  int32_t          errCode;
} SAuthCxt;

typedef struct SSelectAuthCxt {
  SAuthCxt*    pAuthCxt;
  SSelectStmt* pSelect;
} SSelectAuthCxt;

typedef struct SAuthRewriteCxt {
  STableNode*  pTarget;
} SAuthRewriteCxt;

static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt);

static int32_t setUserAuthInfo(SParseContext* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type,
                            bool isView, bool effective, SUserAuthInfo* pAuth) {
  if (effective) {
    snprintf(pAuth->user, sizeof(pAuth->user), "%s", pCxt->pEffectiveUser ? pCxt->pEffectiveUser : "");
  } else {
    snprintf(pAuth->user, sizeof(pAuth->user), "%s", pCxt->pUser);
  }

  if (NULL == pTabName) {
    int32_t code = tNameSetDbName(&pAuth->tbName, pCxt->acctId, pDbName, strlen(pDbName));
    if (TSDB_CODE_SUCCESS != code) return code;
  } else {
    toName(pCxt->acctId, pDbName, pTabName, &pAuth->tbName);
  }
  pAuth->type = type;
  pAuth->isView = isView;
  return TSDB_CODE_SUCCESS;
}

static int32_t checkAuthImpl(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond, bool isView, bool effective) {
  SParseContext* pParseCxt = pCxt->pParseCxt;
  if (pParseCxt->isSuperUser) {
    return TSDB_CODE_SUCCESS;
  }

  AUTH_RES_TYPE auth_res_type = isView ? AUTH_RES_VIEW : AUTH_RES_BASIC;
  SUserAuthInfo authInfo = {0};
  int32_t code = setUserAuthInfo(pCxt->pParseCxt, pDbName, pTabName, type, isView, effective, &authInfo);
  if (TSDB_CODE_SUCCESS != code) return code;
  SUserAuthRes authRes = {0};
  if (NULL != pCxt->pMetaCache) {
    code = getUserAuthFromCache(pCxt->pMetaCache, &authInfo, &authRes);
#ifdef TD_ENTERPRISE
    if (isView && TSDB_CODE_PAR_INTERNAL_ERROR == code) {
      authInfo.isView = false;
      code = getUserAuthFromCache(pCxt->pMetaCache, &authInfo, &authRes);
    }
#endif
  } else {
    SRequestConnInfo conn = {.pTrans = pParseCxt->pTransporter,
                             .requestId = pParseCxt->requestId,
                             .requestObjRefId = pParseCxt->requestRid,
                             .mgmtEps = pParseCxt->mgmtEpSet};
    code = catalogChkAuth(pParseCxt->pCatalog, &conn, &authInfo, &authRes);
  }
  if (TSDB_CODE_SUCCESS == code && NULL != pCond) {
    *pCond = authRes.pCond[auth_res_type];
  }
  return TSDB_CODE_SUCCESS == code ? (authRes.pass[auth_res_type] ? TSDB_CODE_SUCCESS : TSDB_CODE_PAR_PERMISSION_DENIED) : code;
}


static int32_t checkAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond) {
  return checkAuthImpl(pCxt, pDbName, pTabName, type, pCond, false, false);
}

static int32_t checkEffectiveAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond) {
  return checkAuthImpl(pCxt, pDbName, pTabName, type, NULL, false, true);
}

static int32_t checkViewAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond) {
  return checkAuthImpl(pCxt, pDbName, pTabName, type, NULL, true, false);
}

static int32_t checkViewEffectiveAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond) {
  return checkAuthImpl(pCxt, pDbName, pTabName, type, NULL, true, true);
}

static EDealRes authSubquery(SAuthCxt* pCxt, SNode* pStmt) {
  return TSDB_CODE_SUCCESS == authQuery(pCxt, pStmt) ? DEAL_RES_CONTINUE : DEAL_RES_ERROR;
}

static int32_t mergeStableTagCond(SNode** pWhere, SNode* pTagCond) {
  SLogicConditionNode* pLogicCond = NULL;
  int32_t code = nodesMakeNode(QUERY_NODE_LOGIC_CONDITION, (SNode**)&pLogicCond);
  if (NULL == pLogicCond) {
    return code;
  }
  pLogicCond->node.resType.type = TSDB_DATA_TYPE_BOOL;
  pLogicCond->node.resType.bytes = tDataTypes[TSDB_DATA_TYPE_BOOL].bytes;
  pLogicCond->condType = LOGIC_COND_TYPE_AND;
  code = nodesListMakeStrictAppend(&pLogicCond->pParameterList, pTagCond);
  if (TSDB_CODE_SUCCESS == code) {
    code = nodesListMakeAppend(&pLogicCond->pParameterList, *pWhere);
  }
  if (TSDB_CODE_SUCCESS == code) {
    *pWhere = (SNode*)pLogicCond;
  } else {
    nodesDestroyNode((SNode*)pLogicCond);
  }
  return code;
}

EDealRes rewriteAuthTable(SNode* pNode, void* pContext) {
  if (QUERY_NODE_COLUMN == nodeType(pNode)) {
    SColumnNode* pCol = (SColumnNode*)pNode;
    SAuthRewriteCxt* pCxt = (SAuthRewriteCxt*)pContext;
    strcpy(pCol->tableName, pCxt->pTarget->tableName);
    strcpy(pCol->tableAlias, pCxt->pTarget->tableAlias);
  }

  return DEAL_RES_CONTINUE;
}

static int32_t rewriteAppendStableTagCond(SNode** pWhere, SNode* pTagCond, STableNode* pTable) {
  SNode* pTagCondCopy = NULL;
  int32_t code = nodesCloneNode(pTagCond, &pTagCondCopy);
  if (NULL == pTagCondCopy) {
    return code;
  }

  SAuthRewriteCxt cxt = {.pTarget = pTable};
  nodesWalkExpr(pTagCondCopy, rewriteAuthTable, &cxt);

  if (NULL == *pWhere) {
    *pWhere = pTagCondCopy;
    return TSDB_CODE_SUCCESS;
  }

  if (QUERY_NODE_LOGIC_CONDITION == nodeType(*pWhere) &&
      LOGIC_COND_TYPE_AND == ((SLogicConditionNode*)*pWhere)->condType) {
    return nodesListStrictAppend(((SLogicConditionNode*)*pWhere)->pParameterList, pTagCondCopy);
  }

  return mergeStableTagCond(pWhere, pTagCondCopy);
}

static EDealRes authSelectImpl(SNode* pNode, void* pContext) {
  SSelectAuthCxt* pCxt = pContext;
  SAuthCxt*       pAuthCxt = pCxt->pAuthCxt;
  bool            isView = false;
  if (QUERY_NODE_REAL_TABLE == nodeType(pNode)) {
    SNode*      pTagCond = NULL;
    STableNode* pTable = (STableNode*)pNode;
#ifdef TD_ENTERPRISE
    SName name = {0};
    toName(pAuthCxt->pParseCxt->acctId, pTable->dbName, pTable->tableName, &name);
    STableMeta* pTableMeta = NULL;
    toName(pAuthCxt->pParseCxt->acctId, pTable->dbName, pTable->tableName, &name);
    int32_t code = getTargetMetaImpl(
        pAuthCxt->pParseCxt, pAuthCxt->pMetaCache, &name, &pTableMeta, true);
    if (TSDB_CODE_SUCCESS == code && TSDB_VIEW_TABLE == pTableMeta->tableType) {
      isView = true;
    }
    taosMemoryFree(pTableMeta);
#endif
    if (!isView) {
      pAuthCxt->errCode = checkAuth(pAuthCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_READ, &pTagCond);
      if (TSDB_CODE_SUCCESS != pAuthCxt->errCode && NULL != pAuthCxt->pParseCxt->pEffectiveUser) {
        pAuthCxt->errCode = checkEffectiveAuth(pAuthCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_READ, NULL);
      }
      if (TSDB_CODE_SUCCESS == pAuthCxt->errCode && NULL != pTagCond) {
        pAuthCxt->errCode = rewriteAppendStableTagCond(&pCxt->pSelect->pWhere, pTagCond, pTable);
      }
    } else {
      pAuthCxt->errCode = checkViewAuth(pAuthCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_READ, NULL);
      if (TSDB_CODE_SUCCESS != pAuthCxt->errCode && NULL != pAuthCxt->pParseCxt->pEffectiveUser) {
        pAuthCxt->errCode = checkViewEffectiveAuth(pAuthCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_READ, NULL);
      }
    }
    return TSDB_CODE_SUCCESS == pAuthCxt->errCode ? DEAL_RES_CONTINUE : DEAL_RES_ERROR;
  } else if (QUERY_NODE_TEMP_TABLE == nodeType(pNode)) {
    return authSubquery(pAuthCxt, ((STempTableNode*)pNode)->pSubquery);
  }
  return DEAL_RES_CONTINUE;
}

static int32_t authSelect(SAuthCxt* pCxt, SSelectStmt* pSelect) {
  SSelectAuthCxt cxt = {.pAuthCxt = pCxt, .pSelect = pSelect};
  nodesWalkSelectStmt(pSelect, SQL_CLAUSE_FROM, authSelectImpl, &cxt);
  return pCxt->errCode;
}

static int32_t authSetOperator(SAuthCxt* pCxt, SSetOperator* pSetOper) {
  int32_t code = authQuery(pCxt, pSetOper->pLeft);
  if (TSDB_CODE_SUCCESS == code) {
    code = authQuery(pCxt, pSetOper->pRight);
  }
  return code;
}

static int32_t authDropUser(SAuthCxt* pCxt, SDropUserStmt* pStmt) {
  if (!pCxt->pParseCxt->isSuperUser || 0 == strcmp(pStmt->userName, TSDB_DEFAULT_USER)) {
    return TSDB_CODE_PAR_PERMISSION_DENIED;
  }
  return TSDB_CODE_SUCCESS;
}

static int32_t authDelete(SAuthCxt* pCxt, SDeleteStmt* pDelete) {
  SNode*      pTagCond = NULL;
  STableNode* pTable = (STableNode*)pDelete->pFromTable;
  int32_t     code = checkAuth(pCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_WRITE, &pTagCond);
  if (TSDB_CODE_SUCCESS == code && NULL != pTagCond) {
    code = rewriteAppendStableTagCond(&pDelete->pWhere, pTagCond, pTable);
  }
  return code;
}

static int32_t authInsert(SAuthCxt* pCxt, SInsertStmt* pInsert) {
  SNode*      pTagCond = NULL;
  STableNode* pTable = (STableNode*)pInsert->pTable;
  // todo check tag condition for subtable
  int32_t code = checkAuth(pCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_WRITE, &pTagCond);
  if (TSDB_CODE_SUCCESS == code) {
    code = authQuery(pCxt, pInsert->pQuery);
  }
  return code;
}

static int32_t authShowTables(SAuthCxt* pCxt, SShowStmt* pStmt) {
  return checkAuth(pCxt, ((SValueNode*)pStmt->pDbName)->literal, NULL, AUTH_TYPE_READ_OR_WRITE, NULL);
}

static int32_t authShowCreateTable(SAuthCxt* pCxt, SShowCreateTableStmt* pStmt) {
  SNode* pTagCond = NULL;
  // todo check tag condition for subtable
  return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_READ, &pTagCond);
}

static int32_t authShowCreateView(SAuthCxt* pCxt, SShowCreateViewStmt* pStmt) {
#ifndef TD_ENTERPRISE
  return TSDB_CODE_OPS_NOT_SUPPORT;
#endif

  return TSDB_CODE_SUCCESS;
}

static int32_t authCreateTable(SAuthCxt* pCxt, SCreateTableStmt* pStmt) {
  SNode* pTagCond = NULL;
  // todo check tag condition for subtable
  return checkAuth(pCxt, pStmt->dbName, NULL, AUTH_TYPE_WRITE, &pTagCond);
}

static int32_t authCreateMultiTable(SAuthCxt* pCxt, SCreateMultiTablesStmt* pStmt) {
  int32_t code = TSDB_CODE_SUCCESS;
  SNode*  pNode = NULL;
  FOREACH(pNode, pStmt->pSubTables) {
    if (pNode->type == QUERY_NODE_CREATE_SUBTABLE_CLAUSE) {
      SCreateSubTableClause* pClause = (SCreateSubTableClause*)pNode;
      code = checkAuth(pCxt, pClause->dbName, NULL, AUTH_TYPE_WRITE, NULL);
      if (TSDB_CODE_SUCCESS != code) {
        break;
      }
    } else {
      SCreateSubTableFromFileClause* pClause = (SCreateSubTableFromFileClause*)pNode;
      code = checkAuth(pCxt, pClause->useDbName, NULL, AUTH_TYPE_WRITE, NULL);
      if (TSDB_CODE_SUCCESS != code) {
        break;
      }
    }
  }
  return code;
}

static int32_t authDropTable(SAuthCxt* pCxt, SDropTableStmt* pStmt) {
  int32_t code = TSDB_CODE_SUCCESS;
  if (pStmt->withOpt && !pCxt->pParseCxt->isSuperUser) {
    return TSDB_CODE_PAR_PERMISSION_DENIED;
  }
  SNode* pNode = NULL;
  FOREACH(pNode, pStmt->pTables) {
    SDropTableClause* pClause = (SDropTableClause*)pNode;
    code = checkAuth(pCxt, pClause->dbName, pClause->tableName, AUTH_TYPE_WRITE, NULL);
    if (TSDB_CODE_SUCCESS != code) {
      break;
    }
  }
  return code;
}

static int32_t authDropStable(SAuthCxt* pCxt, SDropSuperTableStmt* pStmt) {
  if (pStmt->withOpt && !pCxt->pParseCxt->isSuperUser) {
    return TSDB_CODE_PAR_PERMISSION_DENIED;
  }
  return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_WRITE, NULL);
}

static int32_t authAlterTable(SAuthCxt* pCxt, SAlterTableStmt* pStmt) {
  SNode* pTagCond = NULL;
  // todo check tag condition for subtable
  return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_WRITE, NULL);
}

static int32_t authCreateView(SAuthCxt* pCxt, SCreateViewStmt* pStmt) {
#ifndef TD_ENTERPRISE
  return TSDB_CODE_OPS_NOT_SUPPORT;
#endif
  return checkAuth(pCxt, pStmt->dbName, NULL, AUTH_TYPE_WRITE, NULL);
}

static int32_t authDropView(SAuthCxt* pCxt, SDropViewStmt* pStmt) {
#ifndef TD_ENTERPRISE
  return TSDB_CODE_OPS_NOT_SUPPORT;
#endif
  return checkViewAuth(pCxt, pStmt->dbName, pStmt->viewName, AUTH_TYPE_ALTER, NULL);
}

static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt) {
  switch (nodeType(pStmt)) {
    case QUERY_NODE_SET_OPERATOR:
      return authSetOperator(pCxt, (SSetOperator*)pStmt);
    case QUERY_NODE_SELECT_STMT:
      return authSelect(pCxt, (SSelectStmt*)pStmt);
    case QUERY_NODE_DROP_USER_STMT:
      return authDropUser(pCxt, (SDropUserStmt*)pStmt);
    case QUERY_NODE_DELETE_STMT:
      return authDelete(pCxt, (SDeleteStmt*)pStmt);
    case QUERY_NODE_INSERT_STMT:
      return authInsert(pCxt, (SInsertStmt*)pStmt);
    case QUERY_NODE_CREATE_TABLE_STMT:
      return authCreateTable(pCxt, (SCreateTableStmt*)pStmt);
    case QUERY_NODE_CREATE_MULTI_TABLES_STMT:
      return authCreateMultiTable(pCxt, (SCreateMultiTablesStmt*)pStmt);
    case QUERY_NODE_DROP_TABLE_STMT:
      return authDropTable(pCxt, (SDropTableStmt*)pStmt);
    case QUERY_NODE_DROP_SUPER_TABLE_STMT:
      return authDropStable(pCxt, (SDropSuperTableStmt*)pStmt);
    case QUERY_NODE_ALTER_TABLE_STMT:
    case QUERY_NODE_ALTER_SUPER_TABLE_STMT:
      return authAlterTable(pCxt, (SAlterTableStmt*)pStmt);
    case QUERY_NODE_SHOW_DNODES_STMT:
    case QUERY_NODE_SHOW_MNODES_STMT:
    case QUERY_NODE_SHOW_MODULES_STMT:
    case QUERY_NODE_SHOW_QNODES_STMT:
    case QUERY_NODE_SHOW_ANODES_STMT:
    case QUERY_NODE_SHOW_ANODES_FULL_STMT:
    case QUERY_NODE_SHOW_SNODES_STMT:
    case QUERY_NODE_SHOW_BNODES_STMT:
    case QUERY_NODE_SHOW_CLUSTER_STMT:
    case QUERY_NODE_SHOW_LICENCES_STMT:
    case QUERY_NODE_SHOW_VGROUPS_STMT:
    case QUERY_NODE_SHOW_DB_ALIVE_STMT:
    case QUERY_NODE_SHOW_CLUSTER_ALIVE_STMT:
    case QUERY_NODE_SHOW_CREATE_DATABASE_STMT:
    case QUERY_NODE_SHOW_TABLE_DISTRIBUTED_STMT:
    case QUERY_NODE_SHOW_DNODE_VARIABLES_STMT:
    case QUERY_NODE_SHOW_VNODES_STMT:
    case QUERY_NODE_SHOW_SCORES_STMT:
    case QUERY_NODE_SHOW_USERS_STMT:
    case QUERY_NODE_SHOW_USERS_FULL_STMT:
    case QUERY_NODE_SHOW_USER_PRIVILEGES_STMT:
    case QUERY_NODE_SHOW_GRANTS_FULL_STMT:
    case QUERY_NODE_SHOW_GRANTS_LOGS_STMT:
    case QUERY_NODE_SHOW_CLUSTER_MACHINES_STMT:
    case QUERY_NODE_SHOW_ARBGROUPS_STMT:
    case QUERY_NODE_SHOW_ENCRYPTIONS_STMT:
      return !pCxt->pParseCxt->enableSysInfo ? TSDB_CODE_PAR_PERMISSION_DENIED : TSDB_CODE_SUCCESS;
    case QUERY_NODE_SHOW_TABLES_STMT:
    case QUERY_NODE_SHOW_STABLES_STMT:
      return authShowTables(pCxt, (SShowStmt*)pStmt);
    case QUERY_NODE_SHOW_CREATE_TABLE_STMT:
    case QUERY_NODE_SHOW_CREATE_STABLE_STMT:
      return authShowCreateTable(pCxt, (SShowCreateTableStmt*)pStmt);
//    case QUERY_NODE_SHOW_CREATE_VIEW_STMT:
//      return authShowCreateView(pCxt, (SShowCreateViewStmt*)pStmt);
    case QUERY_NODE_CREATE_VIEW_STMT:
      return authCreateView(pCxt, (SCreateViewStmt*)pStmt);
    case QUERY_NODE_DROP_VIEW_STMT:
      return authDropView(pCxt, (SDropViewStmt*)pStmt);
    default:
      break;
  }

  return TSDB_CODE_SUCCESS;
}

int32_t authenticate(SParseContext* pParseCxt, SQuery* pQuery, SParseMetaCache* pMetaCache) {
  SAuthCxt cxt = {.pParseCxt = pParseCxt, .pMetaCache = pMetaCache, .errCode = TSDB_CODE_SUCCESS};
  return authQuery(&cxt, pQuery->pRoot);
}

1	/*
2	* Copyright (c) 2019 TAOS Data, Inc. <jhtao@taosdata.com>
3	*
4	* This program is free software: you can use, redistribute, and/or modify
5	* it under the terms of the GNU Affero General Public License, version 3
6	* or later ("AGPL"), as published by the Free Software Foundation.
7	*
8	* This program is distributed in the hope that it will be useful, but WITHOUT
9	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10	* FITNESS FOR A PARTICULAR PURPOSE.
11	*
12	* You should have received a copy of the GNU Affero General Public License
13	* along with this program. If not, see <http://www.gnu.org/licenses/>.
14	*/
15
16	#include "catalog.h"
17	#include "cmdnodes.h"
18	#include "parInt.h"
19
20	typedef struct SAuthCxt {
21	SParseContext* pParseCxt;
22	SParseMetaCache* pMetaCache;
23	int32_t errCode;
24	} SAuthCxt;
25
26	typedef struct SSelectAuthCxt {
27	SAuthCxt* pAuthCxt;
28	SSelectStmt* pSelect;
29	} SSelectAuthCxt;
30
31	typedef struct SAuthRewriteCxt {
32	STableNode* pTarget;
33	} SAuthRewriteCxt;
34
35	static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt);
36
37	static int32_t setUserAuthInfo(SParseContext* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type,	573✔
38	bool isView, bool effective, SUserAuthInfo* pAuth) {
39	if (effective) {	573✔
40	snprintf(pAuth->user, sizeof(pAuth->user), "%s", pCxt->pEffectiveUser ? pCxt->pEffectiveUser : "");	53!
41	} else {
42	snprintf(pAuth->user, sizeof(pAuth->user), "%s", pCxt->pUser);	520✔
43	}
44
45	if (NULL == pTabName) {	573✔
46	int32_t code = tNameSetDbName(&pAuth->tbName, pCxt->acctId, pDbName, strlen(pDbName));	56✔
47	if (TSDB_CODE_SUCCESS != code) return code;	56!
48	} else {
49	toName(pCxt->acctId, pDbName, pTabName, &pAuth->tbName);	517✔
50	}
51	pAuth->type = type;	573✔
52	pAuth->isView = isView;	573✔
53	return TSDB_CODE_SUCCESS;	573✔
54	}
55
56	static int32_t checkAuthImpl(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond, bool isView, bool effective) {	411,877✔
57	SParseContext* pParseCxt = pCxt->pParseCxt;	411,877✔
58	if (pParseCxt->isSuperUser) {	411,877✔
59	return TSDB_CODE_SUCCESS;	411,307✔
60	}
61
62	AUTH_RES_TYPE auth_res_type = isView ? AUTH_RES_VIEW : AUTH_RES_BASIC;	570✔
63	SUserAuthInfo authInfo = {0};	570✔
64	int32_t code = setUserAuthInfo(pCxt->pParseCxt, pDbName, pTabName, type, isView, effective, &authInfo);	570✔
65	if (TSDB_CODE_SUCCESS != code) return code;	573!
66	SUserAuthRes authRes = {0};	573✔
67	if (NULL != pCxt->pMetaCache) {	573!
68	code = getUserAuthFromCache(pCxt->pMetaCache, &authInfo, &authRes);	573✔
69	#ifdef TD_ENTERPRISE
70	if (isView && TSDB_CODE_PAR_INTERNAL_ERROR == code) {	573✔
71	authInfo.isView = false;	80✔
72	code = getUserAuthFromCache(pCxt->pMetaCache, &authInfo, &authRes);	80✔
73	}
74	#endif
75	} else {
76	SRequestConnInfo conn = {.pTrans = pParseCxt->pTransporter,	×
77	.requestId = pParseCxt->requestId,	×
78	.requestObjRefId = pParseCxt->requestRid,	×
79	.mgmtEps = pParseCxt->mgmtEpSet};
80	code = catalogChkAuth(pParseCxt->pCatalog, &conn, &authInfo, &authRes);	×
81	}
82	if (TSDB_CODE_SUCCESS == code && NULL != pCond) {	573!
83	*pCond = authRes.pCond[auth_res_type];	401✔
84	}
85	return TSDB_CODE_SUCCESS == code ? (authRes.pass[auth_res_type] ? TSDB_CODE_SUCCESS : TSDB_CODE_PAR_PERMISSION_DENIED) : code;	573!
86	}
87
88
89	static int32_t checkAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond) {	411,334✔
90	return checkAuthImpl(pCxt, pDbName, pTabName, type, pCond, false, false);	411,334✔
91	}
92
93	static int32_t checkEffectiveAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond) {	37✔
94	return checkAuthImpl(pCxt, pDbName, pTabName, type, NULL, false, true);	37✔
95	}
96
97	static int32_t checkViewAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond) {	491✔
98	return checkAuthImpl(pCxt, pDbName, pTabName, type, NULL, true, false);	491✔
99	}
100
101	static int32_t checkViewEffectiveAuth(SAuthCxt* pCxt, const char* pDbName, const char* pTabName, AUTH_TYPE type, SNode** pCond) {	16✔
102	return checkAuthImpl(pCxt, pDbName, pTabName, type, NULL, true, true);	16✔
103	}
104
105	static EDealRes authSubquery(SAuthCxt* pCxt, SNode* pStmt) {	22,106✔
106	return TSDB_CODE_SUCCESS == authQuery(pCxt, pStmt) ? DEAL_RES_CONTINUE : DEAL_RES_ERROR;	22,106!
107	}
108
UNCOV 109	static int32_t mergeStableTagCond(SNode** pWhere, SNode* pTagCond) {	×
UNCOV 110	SLogicConditionNode* pLogicCond = NULL;	×
UNCOV 111	int32_t code = nodesMakeNode(QUERY_NODE_LOGIC_CONDITION, (SNode**)&pLogicCond);	×
UNCOV 112	if (NULL == pLogicCond) {	×
113	return code;	×
114	}
UNCOV 115	pLogicCond->node.resType.type = TSDB_DATA_TYPE_BOOL;	×
UNCOV 116	pLogicCond->node.resType.bytes = tDataTypes[TSDB_DATA_TYPE_BOOL].bytes;	×
UNCOV 117	pLogicCond->condType = LOGIC_COND_TYPE_AND;	×
UNCOV 118	code = nodesListMakeStrictAppend(&pLogicCond->pParameterList, pTagCond);	×
UNCOV 119	if (TSDB_CODE_SUCCESS == code) {	×
UNCOV 120	code = nodesListMakeAppend(&pLogicCond->pParameterList, *pWhere);	×
121	}
UNCOV 122	if (TSDB_CODE_SUCCESS == code) {	×
UNCOV 123	pWhere = (SNode)pLogicCond;	×
124	} else {
125	nodesDestroyNode((SNode*)pLogicCond);	×
126	}
UNCOV 127	return code;	×
128	}
129
130	EDealRes rewriteAuthTable(SNode* pNode, void* pContext) {	60✔
131	if (QUERY_NODE_COLUMN == nodeType(pNode)) {	60✔
132	SColumnNode* pCol = (SColumnNode*)pNode;	19✔
133	SAuthRewriteCxt* pCxt = (SAuthRewriteCxt*)pContext;	19✔
134	strcpy(pCol->tableName, pCxt->pTarget->tableName);	19✔
135	strcpy(pCol->tableAlias, pCxt->pTarget->tableAlias);	19✔
136	}
137
138	return DEAL_RES_CONTINUE;	60✔
139	}
140
141	static int32_t rewriteAppendStableTagCond(SNode** pWhere, SNode* pTagCond, STableNode* pTable) {	16✔
142	SNode* pTagCondCopy = NULL;	16✔
143	int32_t code = nodesCloneNode(pTagCond, &pTagCondCopy);	16✔
144	if (NULL == pTagCondCopy) {	16!
145	return code;	×
146	}
147
148	SAuthRewriteCxt cxt = {.pTarget = pTable};	16✔
149	nodesWalkExpr(pTagCondCopy, rewriteAuthTable, &cxt);	16✔
150
151	if (NULL == *pWhere) {	16!
152	*pWhere = pTagCondCopy;	16✔
153	return TSDB_CODE_SUCCESS;	16✔
154	}
155
UNCOV 156	if (QUERY_NODE_LOGIC_CONDITION == nodeType(*pWhere) &&	×
157	LOGIC_COND_TYPE_AND == ((SLogicConditionNode)pWhere)->condType) {	×
158	return nodesListStrictAppend(((SLogicConditionNode)pWhere)->pParameterList, pTagCondCopy);	×
159	}
160
UNCOV 161	return mergeStableTagCond(pWhere, pTagCondCopy);	×
162	}
163
164	static EDealRes authSelectImpl(SNode* pNode, void* pContext) {	3,948,759✔
165	SSelectAuthCxt* pCxt = pContext;	3,948,759✔
166	SAuthCxt* pAuthCxt = pCxt->pAuthCxt;	3,948,759✔
167	bool isView = false;	3,948,759✔
168	if (QUERY_NODE_REAL_TABLE == nodeType(pNode)) {	3,948,759✔
169	SNode* pTagCond = NULL;	357,830✔
170	STableNode* pTable = (STableNode*)pNode;	357,830✔
171	#ifdef TD_ENTERPRISE
172	SName name = {0};	357,830✔
173	toName(pAuthCxt->pParseCxt->acctId, pTable->dbName, pTable->tableName, &name);	357,830✔
174	STableMeta* pTableMeta = NULL;	357,830✔
175	toName(pAuthCxt->pParseCxt->acctId, pTable->dbName, pTable->tableName, &name);	357,830✔
176	int32_t code = getTargetMetaImpl(	357,830✔
177	pAuthCxt->pParseCxt, pAuthCxt->pMetaCache, &name, &pTableMeta, true);
178	if (TSDB_CODE_SUCCESS == code && TSDB_VIEW_TABLE == pTableMeta->tableType) {	357,829✔
179	isView = true;	349✔
180	}
181	taosMemoryFree(pTableMeta);	357,829✔
182	#endif
183	if (!isView) {	357,830✔
184	pAuthCxt->errCode = checkAuth(pAuthCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_READ, &pTagCond);	357,481✔
185	if (TSDB_CODE_SUCCESS != pAuthCxt->errCode && NULL != pAuthCxt->pParseCxt->pEffectiveUser) {	357,481✔
186	pAuthCxt->errCode = checkEffectiveAuth(pAuthCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_READ, NULL);	37✔
187	}
188	if (TSDB_CODE_SUCCESS == pAuthCxt->errCode && NULL != pTagCond) {	357,481✔
189	pAuthCxt->errCode = rewriteAppendStableTagCond(&pCxt->pSelect->pWhere, pTagCond, pTable);	16✔
190	}
191	} else {
192	pAuthCxt->errCode = checkViewAuth(pAuthCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_READ, NULL);	349✔
193	if (TSDB_CODE_SUCCESS != pAuthCxt->errCode && NULL != pAuthCxt->pParseCxt->pEffectiveUser) {	349✔
194	pAuthCxt->errCode = checkViewEffectiveAuth(pAuthCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_READ, NULL);	16✔
195	}
196	}
197	return TSDB_CODE_SUCCESS == pAuthCxt->errCode ? DEAL_RES_CONTINUE : DEAL_RES_ERROR;	357,830✔
198	} else if (QUERY_NODE_TEMP_TABLE == nodeType(pNode)) {	3,590,929✔
199	return authSubquery(pAuthCxt, ((STempTableNode*)pNode)->pSubquery);	22,106✔
200	}
201	return DEAL_RES_CONTINUE;	3,568,823✔
202	}
203
204	static int32_t authSelect(SAuthCxt* pCxt, SSelectStmt* pSelect) {	402,859✔
205	SSelectAuthCxt cxt = {.pAuthCxt = pCxt, .pSelect = pSelect};	402,859✔
206	nodesWalkSelectStmt(pSelect, SQL_CLAUSE_FROM, authSelectImpl, &cxt);	402,859✔
207	return pCxt->errCode;	402,860✔
208	}
209
210	static int32_t authSetOperator(SAuthCxt* pCxt, SSetOperator* pSetOper) {	9,364✔
211	int32_t code = authQuery(pCxt, pSetOper->pLeft);	9,364✔
212	if (TSDB_CODE_SUCCESS == code) {	9,364!
213	code = authQuery(pCxt, pSetOper->pRight);	9,364✔
214	}
215	return code;	9,364✔
216	}
217
218	static int32_t authDropUser(SAuthCxt* pCxt, SDropUserStmt* pStmt) {	48✔
219	if (!pCxt->pParseCxt->isSuperUser \|\| 0 == strcmp(pStmt->userName, TSDB_DEFAULT_USER)) {	48!
220	return TSDB_CODE_PAR_PERMISSION_DENIED;	1✔
221	}
222	return TSDB_CODE_SUCCESS;	47✔
223	}
224
225	static int32_t authDelete(SAuthCxt* pCxt, SDeleteStmt* pDelete) {	1,948✔
226	SNode* pTagCond = NULL;	1,948✔
227	STableNode* pTable = (STableNode*)pDelete->pFromTable;	1,948✔
228	int32_t code = checkAuth(pCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_WRITE, &pTagCond);	1,948✔
229	if (TSDB_CODE_SUCCESS == code && NULL != pTagCond) {	1,948!
230	code = rewriteAppendStableTagCond(&pDelete->pWhere, pTagCond, pTable);	×
231	}
232	return code;	1,948✔
233	}
234
235	static int32_t authInsert(SAuthCxt* pCxt, SInsertStmt* pInsert) {	97✔
236	SNode* pTagCond = NULL;	97✔
237	STableNode* pTable = (STableNode*)pInsert->pTable;	97✔
238	// todo check tag condition for subtable
239	int32_t code = checkAuth(pCxt, pTable->dbName, pTable->tableName, AUTH_TYPE_WRITE, &pTagCond);	97✔
240	if (TSDB_CODE_SUCCESS == code) {	97!
241	code = authQuery(pCxt, pInsert->pQuery);	97✔
242	}
243	return code;	97✔
244	}
245
246	static int32_t authShowTables(SAuthCxt* pCxt, SShowStmt* pStmt) {	1,256✔
247	return checkAuth(pCxt, ((SValueNode*)pStmt->pDbName)->literal, NULL, AUTH_TYPE_READ_OR_WRITE, NULL);	1,256✔
248	}
249
250	static int32_t authShowCreateTable(SAuthCxt* pCxt, SShowCreateTableStmt* pStmt) {	121✔
251	SNode* pTagCond = NULL;	121✔
252	// todo check tag condition for subtable
253	return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_READ, &pTagCond);	121✔
254	}
255
256	static int32_t authShowCreateView(SAuthCxt* pCxt, SShowCreateViewStmt* pStmt) {	×
257	#ifndef TD_ENTERPRISE
258	return TSDB_CODE_OPS_NOT_SUPPORT;
259	#endif
260
261	return TSDB_CODE_SUCCESS;	×
262	}
263
264	static int32_t authCreateTable(SAuthCxt* pCxt, SCreateTableStmt* pStmt) {	8,057✔
265	SNode* pTagCond = NULL;	8,057✔
266	// todo check tag condition for subtable
267	return checkAuth(pCxt, pStmt->dbName, NULL, AUTH_TYPE_WRITE, &pTagCond);	8,057✔
268	}
269
270	static int32_t authCreateMultiTable(SAuthCxt* pCxt, SCreateMultiTablesStmt* pStmt) {	22,321✔
271	int32_t code = TSDB_CODE_SUCCESS;	22,321✔
272	SNode* pNode = NULL;	22,321✔
273	FOREACH(pNode, pStmt->pSubTables) {	56,929!
274	if (pNode->type == QUERY_NODE_CREATE_SUBTABLE_CLAUSE) {	34,610!
275	SCreateSubTableClause* pClause = (SCreateSubTableClause*)pNode;	34,610✔
276	code = checkAuth(pCxt, pClause->dbName, NULL, AUTH_TYPE_WRITE, NULL);	34,610✔
277	if (TSDB_CODE_SUCCESS != code) {	34,609✔
278	break;	1✔
279	}
280	} else {
281	SCreateSubTableFromFileClause* pClause = (SCreateSubTableFromFileClause*)pNode;	×
282	code = checkAuth(pCxt, pClause->useDbName, NULL, AUTH_TYPE_WRITE, NULL);	×
283	if (TSDB_CODE_SUCCESS != code) {	×
284	break;	×
285	}
286	}
287	}
288	return code;	22,320✔
289	}
290
291	static int32_t authDropTable(SAuthCxt* pCxt, SDropTableStmt* pStmt) {	2,623✔
292	int32_t code = TSDB_CODE_SUCCESS;	2,623✔
293	if (pStmt->withOpt && !pCxt->pParseCxt->isSuperUser) {	2,623✔
294	return TSDB_CODE_PAR_PERMISSION_DENIED;	2✔
295	}
296	SNode* pNode = NULL;	2,621✔
297	FOREACH(pNode, pStmt->pTables) {	6,092!
298	SDropTableClause* pClause = (SDropTableClause*)pNode;	3,471✔
299	code = checkAuth(pCxt, pClause->dbName, pClause->tableName, AUTH_TYPE_WRITE, NULL);	3,471✔
300	if (TSDB_CODE_SUCCESS != code) {	3,471!
UNCOV 301	break;	×
302	}
303	}
304	return code;	2,621✔
305	}
306
307	static int32_t authDropStable(SAuthCxt* pCxt, SDropSuperTableStmt* pStmt) {	289✔
308	if (pStmt->withOpt && !pCxt->pParseCxt->isSuperUser) {	289✔
309	return TSDB_CODE_PAR_PERMISSION_DENIED;	1✔
310	}
311	return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_WRITE, NULL);	288✔
312	}
313
314	static int32_t authAlterTable(SAuthCxt* pCxt, SAlterTableStmt* pStmt) {	3,783✔
315	SNode* pTagCond = NULL;	3,783✔
316	// todo check tag condition for subtable
317	return checkAuth(pCxt, pStmt->dbName, pStmt->tableName, AUTH_TYPE_WRITE, NULL);	3,783✔
318	}
319
320	static int32_t authCreateView(SAuthCxt* pCxt, SCreateViewStmt* pStmt) {	225✔
321	#ifndef TD_ENTERPRISE
322	return TSDB_CODE_OPS_NOT_SUPPORT;
323	#endif
324	return checkAuth(pCxt, pStmt->dbName, NULL, AUTH_TYPE_WRITE, NULL);	225✔
325	}
326
327	static int32_t authDropView(SAuthCxt* pCxt, SDropViewStmt* pStmt) {	142✔
328	#ifndef TD_ENTERPRISE
329	return TSDB_CODE_OPS_NOT_SUPPORT;
330	#endif
331	return checkViewAuth(pCxt, pStmt->dbName, pStmt->viewName, AUTH_TYPE_ALTER, NULL);	142✔
332	}
333
334	static int32_t authQuery(SAuthCxt* pCxt, SNode* pStmt) {	490,902✔
335	switch (nodeType(pStmt)) {	490,902✔
336	case QUERY_NODE_SET_OPERATOR:	9,364✔
337	return authSetOperator(pCxt, (SSetOperator*)pStmt);	9,364✔
338	case QUERY_NODE_SELECT_STMT:	402,859✔
339	return authSelect(pCxt, (SSelectStmt*)pStmt);	402,859✔
340	case QUERY_NODE_DROP_USER_STMT:	48✔
341	return authDropUser(pCxt, (SDropUserStmt*)pStmt);	48✔
342	case QUERY_NODE_DELETE_STMT:	1,948✔
343	return authDelete(pCxt, (SDeleteStmt*)pStmt);	1,948✔
344	case QUERY_NODE_INSERT_STMT:	97✔
345	return authInsert(pCxt, (SInsertStmt*)pStmt);	97✔
346	case QUERY_NODE_CREATE_TABLE_STMT:	8,057✔
347	return authCreateTable(pCxt, (SCreateTableStmt*)pStmt);	8,057✔
348	case QUERY_NODE_CREATE_MULTI_TABLES_STMT:	22,321✔
349	return authCreateMultiTable(pCxt, (SCreateMultiTablesStmt*)pStmt);	22,321✔
350	case QUERY_NODE_DROP_TABLE_STMT:	2,623✔
351	return authDropTable(pCxt, (SDropTableStmt*)pStmt);	2,623✔
352	case QUERY_NODE_DROP_SUPER_TABLE_STMT:	289✔
353	return authDropStable(pCxt, (SDropSuperTableStmt*)pStmt);	289✔
354	case QUERY_NODE_ALTER_TABLE_STMT:	3,783✔
355	case QUERY_NODE_ALTER_SUPER_TABLE_STMT:
356	return authAlterTable(pCxt, (SAlterTableStmt*)pStmt);	3,783✔
357	case QUERY_NODE_SHOW_DNODES_STMT:	940✔
358	case QUERY_NODE_SHOW_MNODES_STMT:
359	case QUERY_NODE_SHOW_MODULES_STMT:
360	case QUERY_NODE_SHOW_QNODES_STMT:
361	case QUERY_NODE_SHOW_ANODES_STMT:
362	case QUERY_NODE_SHOW_ANODES_FULL_STMT:
363	case QUERY_NODE_SHOW_SNODES_STMT:
364	case QUERY_NODE_SHOW_BNODES_STMT:
365	case QUERY_NODE_SHOW_CLUSTER_STMT:
366	case QUERY_NODE_SHOW_LICENCES_STMT:
367	case QUERY_NODE_SHOW_VGROUPS_STMT:
368	case QUERY_NODE_SHOW_DB_ALIVE_STMT:
369	case QUERY_NODE_SHOW_CLUSTER_ALIVE_STMT:
370	case QUERY_NODE_SHOW_CREATE_DATABASE_STMT:
371	case QUERY_NODE_SHOW_TABLE_DISTRIBUTED_STMT:
372	case QUERY_NODE_SHOW_DNODE_VARIABLES_STMT:
373	case QUERY_NODE_SHOW_VNODES_STMT:
374	case QUERY_NODE_SHOW_SCORES_STMT:
375	case QUERY_NODE_SHOW_USERS_STMT:
376	case QUERY_NODE_SHOW_USERS_FULL_STMT:
377	case QUERY_NODE_SHOW_USER_PRIVILEGES_STMT:
378	case QUERY_NODE_SHOW_GRANTS_FULL_STMT:
379	case QUERY_NODE_SHOW_GRANTS_LOGS_STMT:
380	case QUERY_NODE_SHOW_CLUSTER_MACHINES_STMT:
381	case QUERY_NODE_SHOW_ARBGROUPS_STMT:
382	case QUERY_NODE_SHOW_ENCRYPTIONS_STMT:
383	return !pCxt->pParseCxt->enableSysInfo ? TSDB_CODE_PAR_PERMISSION_DENIED : TSDB_CODE_SUCCESS;	940✔
384	case QUERY_NODE_SHOW_TABLES_STMT:	1,256✔
385	case QUERY_NODE_SHOW_STABLES_STMT:
386	return authShowTables(pCxt, (SShowStmt*)pStmt);	1,256✔
387	case QUERY_NODE_SHOW_CREATE_TABLE_STMT:	121✔
388	case QUERY_NODE_SHOW_CREATE_STABLE_STMT:
389	return authShowCreateTable(pCxt, (SShowCreateTableStmt*)pStmt);	121✔
390	// case QUERY_NODE_SHOW_CREATE_VIEW_STMT:
391	// return authShowCreateView(pCxt, (SShowCreateViewStmt*)pStmt);
392	case QUERY_NODE_CREATE_VIEW_STMT:	225✔
393	return authCreateView(pCxt, (SCreateViewStmt*)pStmt);	225✔
394	case QUERY_NODE_DROP_VIEW_STMT:	142✔
395	return authDropView(pCxt, (SDropViewStmt*)pStmt);	142✔
396	default:	36,829✔
397	break;	36,829✔
398	}
399
400	return TSDB_CODE_SUCCESS;	36,829✔
401	}
402
403	int32_t authenticate(SParseContext* pParseCxt, SQuery* pQuery, SParseMetaCache* pMetaCache) {	449,970✔
404	SAuthCxt cxt = {.pParseCxt = pParseCxt, .pMetaCache = pMetaCache, .errCode = TSDB_CODE_SUCCESS};	449,970✔
405	return authQuery(&cxt, pQuery->pRoot);	449,970✔
406	}

taosdata / TDengine / #3533

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous